Regin Cyber-Spy Malware Targeted High-Priority Intelligence Quarry

By Wayne Rash  |  Posted 2014-11-25 Print this article Print
Regin Spyware

The difference between the versions was primarily that the first was aimed at 32-bit Windows computers, and the second at 64-bit Windows machines, reflecting the current move in the market to 64-bit platforms.

The obvious next question is who (or what) would go to the trouble and expense required to create Regin, but target only 27 victims? Raiu declined to speculate. However, Adam Kujawa head of malware intelligence at Malwarebytes said in an email that it would take a national intelligence agency to actually pull this off.

"It is highly possible that Regin was developed, at least in part, by a nation-state since the resources required for not only the creation of such an intricate and complex tool would be immense, but also the actual control of such a tool would require powerful systems and many man hours of sifting through data to derive meaningful intelligence." Kujawa said.

"The operation of this tool requires a huge effort in line with manual manipulation of how the tool works on an infected network, but also how it communicates with the command and control," Kujawa noted. "Since Regin has a dual communication channel, meaning that the malware can talk to the attacker and the attacker can talk to the malware, it is likely not completely automated and needs constant instructions," he explained.

"All of these factors combined do not make up the signature for a single or couple of hackers. Nor does it fit the M.O. for a cyber-crime organization. This is a constant surveillance operation most likely executed by a government with substantial resources and the know-how to make it happen," Kujawa asserted.

In other words, Regin is less like a cruise missile and more like a drone. It can operate for long periods of time on its own, but ultimately someone needs to be at the controls. In addition, someone needs to be on hand to evaluate the fruits of the intelligence gathering, and to make changes if necessary.

What's important to nearly everyone is that the chances of the Regin malware in its current state attacking your computers or network are basically non-existent—unless, of course, you are of particular interest to the national intelligence agency controlling it.

In that case, it's still possible to prevent infection by strictly following safe practices such as never using critical systems for things like email and chats. But that only works if computers that are doing email and chats are kept off the network.

In addition, now that anti-malware products know what to look for with Regin, they're more likely to find something, but of course that's only true if the creators of this attack don't stay a step ahead. Unfortunately, so far they have.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel